Note: Fill in control reference from CIS/other standards in 'Control number' column.

Minim
Control
Sr.No. Control Objective
number

1 Set 'privilege 1' for local users

Set 'transport input ssh' for 'line vty'

2
connections

3 Set 'no exec' for 'line aux 0'

Create 'access-list' for use with 'line

4
vty'

5 Set 'access-class' for 'line vty'

Set 'exec-timeout' to less than or

6 equal to 10 minutes for 'line aux
0'

Set 'exec-timeout' to less than or

7 equal to 10 minutes 'line console
0'
 Set 'exec-timeout' less than or equal
8
to 10 minutes 'line tty'

Set 'exec-timeout' to less than or

9
equal to 10 minutes 'line vty'

Set 'transport input none' for 'line aux

10
0'

11 Set 'http Secure-server' limit

Set 'exec-timeout' to less than or

12
equal to 10 min on 'ip http'

13 Enable 'aaa new-model'

14 Enable 'aaa authentication login'

Enable 'aaa authentication enable

15
default'

16 Set 'login authentication for 'line tty'

17 Set 'login authentication for 'line vty'

18 Set 'login authentication for 'ip http'

Set 'aaa accounting' to log all

19 privileged use commands using
'commands 15'

20 Set 'aaa accounting connection'

21 Set 'aaa accounting exec'

22 Set 'aaa accounting network'

23 Set 'aaa accounting system'

24 Set the 'banner-text' for 'banner exec'

25 Set the 'banner-text' for 'banner login'

26 Set the 'banner-text' for 'banner motd'

Set the 'banner-text' for 'webauth

27
banner'

28 Set 'password' for 'enable secret'

29 Enable 'service password-encryption'

Set 'username secret' for all local

30
users
 Set 'no snmp-server' to disable SNMP
31
when unused

Unset 'private' for 'snmp-server

32
community'

Unset 'public' for 'snmp-server

33
community'

Do not set 'RW' for any 'snmp-server

34
community'

Set the ACL for each 'snmp-server

35
community'

Create an 'access-list' for use with

36
SNMP

Set 'snmp-server host' when using

37
SNMP

38 Set 'snmp-server enable traps snmp'

Set 'priv' for each 'snmp-server group'

39
using SNMPv3

Require 'aes 128' as minimum for

40 'snmp-server user' when using
SNMPv3

41 Configure Login Block

42 AutoSecure

43 Configuring Kerberos

44 Configure Web interface

45 Set the 'hostname'

46 Set the 'ip domain name'

Set 'modulus' to greater than or equal

47 to 2048 for 'crypto key
generate rsa'

48 Set 'seconds' for 'ip ssh timeout'

Set maximimum value for 'ip ssh

49
authentication-retries'

50 Set version 2 for 'ip ssh version'

51 Set 'no cdp run'

52 Set 'no ip bootp server'

53 Set 'no service dhcp'

54 Set 'no ip identd'

55 Set 'service tcp-keepalives-in'

56 Set 'service tcp-keepalives-out'

57 Set 'no service pad'

58 Set 'logging enable'

59 Set 'buffer size' for 'logging buffered'

60 Set 'logging console critical'

61 Set IP address for 'logging host'

62 Set 'logging trap informational'

Set 'service timestamps debug

63
datetime'

64 Set 'logging source interface'

65 Set 'login success/failure logging'

66 Set 'ntp authenticate'

67 Set 'ntp authentication-key'

68 Set the 'ntp trusted-key'

69 Set 'key' for each 'ntp server'

70 Set 'ip address' for 'ntp server'

71 Create a single 'interface loopback'

72 Set AAA 'source-interface'

73 Set 'ntp source' to Loopback Interface

Set 'ip tftp source-interface' to the

74
Loopback Interface

75 Set 'no ip source-route'

76 Set 'no ip proxy-arp'

77 Set 'no interface tunnel'

Set 'ip verify unicast source

78
reachable-via'

Set 'ip access-list extended' to Forbid

79 Private Source Addresses
from External Networks

Set inbound 'ip access-group' on the

80
External Interface
 Require EIGRP Authentication if
81
Protocol is Used

82 Set 'key'

83 Set 'key-string'

Set 'address-family ipv4 autonomous-

84
system'

85 Set 'af-interface default'

86 Set 'authentication key-chain'

87 Set 'authentication mode md5' #

88 Set 'ip authentication key-chain eigrp'

89 Set 'ip authentication mode eigrp'

Set 'authentication message-digest'

90
for OSPF area

91 Set 'ip ospf message-digest-key md5'

92 Set 'key chain'

93 Set 'key'

94 Set 'key-string'

95 Set 'ip rip authentication key-chain'

Set 'ip rip authentication mode' to

96
'md5'

97 Set 'neighbor password'

number' column.

Minimum Baseline Security Standard – Cisco S

Description

1. Access Rules
Default device configuration does not require strong user authentication
potentially enabling unfettered access to an attacker that is able to reach the
device. Creating a local account with privilege level 1 permissions only allows
the local user to access the device with EXEC-level permissions and will be
unable to modify the device without using the enable password. In addition,
require the use of an encrypted password as well

Configuring VTY access control restricts remote access to only those

authorized to manage the device and prevents unauthorized users from
accessing the system.

Unused ports should be disabled, if not required, since they provide a potential
access path for attackers. Some devices include both an auxiliary and console
port that can be used to locally connect to and configure the device. The
console port is normally the primary port
used to configure the device; even when remote, backup administration is
required via console server or Keyboard, Video, Mouse (KVM) hardware. The
auxiliary port is primarily used for dial-up administration via an external
modem; instead, use other available methods.

VTY ACLs control what addresses may attempt to log in to the router.
Configuring VTY lines to use an ACL, restricts the sources where a user can
manage the device. You should limit the specific host(s) and or network(s)
authorized to connect to and configure the device, via an approved protocol, to
those individuals or systems authorized to administer the device. For example,
you could limit access to specific hosts, so that only network managers can
configure the devices only by using specific network management
workstations. Make sure you configure all VTY lines to use the same ACL.

Restricting the type of network devices, associated with the addresses on the
access-list, further restricts remote access to those devices authorized to
manage the device and reduces the risk of unauthorized access.

This prevents unauthorized users from misusing abandoned sessions. For

example, if the network administrator leaves for the day and leaves a
computer open with an enabled login session accessible. There is a trade-off
here between security (shorter timeouts) and usability (longer timeouts).
Review your local policies and operational needs to determine the best timeout
value. In most cases, this should be no more than 10 minutes.

This prevents unauthorized users from misusing abandoned sessions. For

example, if the network administrator leaves for the day and leaves a
computer open with an enabled login session accessible. There is a trade-off
here between security (shorter timeouts) and usability (longer timeouts).
Review your local policies and operational needs to determine the best timeout
value. In most cases, this should be no more than 10 minutes
This prevents unauthorized users from misusing abandoned sessions. For
example, if the network administrator leaves for the day and leaves a
computer open with an enabled login session accessible. There is a trade-off
here between security (shorter timeouts) and usability (longer timeouts).
Review your local policies and operational needs to determine the best timeout
value. In most cases, this should be no more than 10 minutes.

This prevents unauthorized users from misusing abandoned sessions. For

example, if the network administrator leaves for the day and leaves a
computer open with an enabled login session accessible. There is a trade-off
here between security (shorter timeouts) and usability (longer timeouts).
Review your local policies and operational needs to determine the best timeout
value. In most cases, this should be no more than 10 minutes.

Unused ports should be disabled, if not required, since they provide a potential
access path for attackers. Some devices include both an auxiliary and console
port that can be used to locally connect to and configure the device. The
console port is normally the primary port used to configure the device; even
when remote, backup administration is required via console server or
Keyboard, Video, Mouse (KVM) hardware. The auxiliary port is primarily
used for dial-up administration via an external modem; instead, use other
available methods.

This requirement addresses concurrent sessions for administrative accounts

and does not address concurrent sessions by a single administrator via multiple
administrative accounts.
The maximum number of concurrent sessions should be defined based upon
mission needs and the operational environment for each system. At a
minimum, limits must be set for SSH, HTTPS, account of last resort, and root
account sessions.

This prevents unauthorized users from misusing abandoned sessions. For

example, if the network administrator leaves for the day and leaves a
computer open with an enabled login session accessible. There is a trade-off
here between security (shorter timeouts) and usability (longer timeouts).
Review your local policies and operational needs to determine the best timeout
value. In most cases, this should be no more than 10 minutes.
This prevents unauthorized users from misusing abandoned sessions. For
example, if the network administrator leaves for the day and leaves a
computer open with an enabled login session accessible. There is a trade-off
here between security (shorter timeouts) and usability (longer timeouts).
Review your local policies and operational needs to determine the best timeout
value. In most cases, this should be no more than 10 minutes.

2. Local Authentication, Authorization and Accounting (AAA)

Authentication, authorization and accounting (AAA) services provide an

authoritative source for managing and monitoring access for devices.
Centralizing control improves consistency of access control, the services that
may be accessed once authenticated and accountability by tracking services
accessed. Additionally, centralizing access control
simplifies and reduces administrative costs of account provisioning and de-
provisioning, especially when managing a large number of devices
Using AAA authentication for interactive management access to the device
provides consistent, centralized control of your network. The default under
AAA (local or network) is to require users to log in using a valid user name
and password. This rule applies for both local and network AAA. Fallback
mode should also be enabled to allow emergency access to the router or
switch in the event that the AAA server was unreachable, by utilizing the
LOCAL keyword after the AAA server-tag

Using AAA authentication for interactive management access to the device

provides consistent, centralized control of your network. The default under
AAA (local or network) is to require users to log in using a valid user name
and password. This rule applies for both local and network AAA

Using AAA authentication for interactive management access to the device

provides consistent, centralized control of your network. The default under
AAA (local or network) is to require users to log in using a valid user name
and password. This rule applies for both local and network AAA

Using AAA authentication for interactive management access to the device

provides consistent, centralized control of your network. The default under
AAA (local or network) is to require users to log in using a valid user name
and password. This rule applies for both local and network AAA.

Using AAA authentication for interactive management access to the device

provides consistent, centralized control of your network. The default under
AAA (local or network) is to require users to log in using a valid user name
and password. This rule applies for both local and network AAA.

Authentication, authorization and accounting (AAA) systems provide an

authoritative source for managing and monitoring access for devices.
Centralizing control improves consistency of access control, the services that
may be accessed once authenticated and accountability by tracking services
accessed. Additionally, centralizing access control simplifies and reduces
administrative costs of account provisioning and de-provisioning, especially
when managing a large number of devices. AAA Accounting provides a
management and audit trail for user and administrative sessions through
RADIUS or TACACS+

Authentication, authorization and accounting (AAA) systems provide an

authoritative source for managing and monitoring access for devices.
Centralizing control improves consistency of access control, the services that
may be accessed once authenticated and accountability by tracking services
accessed. Additionally, centralizing access control implifies and reduces
administrative costs of account provisioning and de-provisioning, especially
when managing a large number of devices. AAA Accounting provides a
management and audit trail for user and administrative sessions through
RADIUS and TACACS+.

Authentication, authorization and accounting (AAA) systems provide an

authoritative source for managing and monitoring access for devices.
Centralizing control improves consistency of access control, the services that
may be accessed once authenticated and accountability by tracking services
accessed. Additionally, centralizing access control implifies and reduces
administrative costs of account provisioning and de-provisioning, especially
when managing a large number of devices. AAA Accounting provides a
management and audit trail for user and administrative sessions through
RADIUS and TACACS+.
Authentication, authorization and accounting (AAA) systems provide an
authoritative source for managing and monitoring access for devices.
Centralizing control improves consistency of access control, the services that
may be accessed once authenticated and accountability by tracking services
accessed. Additionally, centralizing access control implifies and reduces
administrative costs of account provisioning and de-provisioning, especially
when managing a large number of devices. AAA Accounting provides a
management and audit trail for user and administrative sessions through
RADIUS and TACACS+.

Authentication, authorization and accounting (AAA) systems provide an

authoritative source for managing and monitoring access for devices.
Centralizing control improves consistency of access control, the services that
may be accessed once authenticated and accountability by tracking services
accessed. Additionally, centralizing access control implifies and reduces
administrative costs of account provisioning and de-provisioning, especially
when managing a large number of devices. AAA Accounting provides a
management and audit trail for user and administrative sessions through
RADIUS and TACACS+.

3. Banner Rules

"Network banners are electronic messages that provide notice of legal rights to
users of
computer networks. From a legal standpoint, banners have four primary
functions.
-- First, banners may be used to generate consent to real-time monitoring
under Title III.
-- Second, banners may be used to generate consent to the retrieval of stored
files and records pursuant to ECPA.
-- Third, in the case of government networks, banners may eliminate any
Fourth Amendment "reasonable expectation of privacy" that government
employees or other users might otherwise retain in their use of the
government's network under O'Connor v. Ortega, 480 U.S. 709 (1987).
-- Fourth, in the case of a non-government network, banners may establish a
system administrator's "common authority" to consent to a law enforcement
search pursuant to United States v. Matlock, 415 U.S. 164 (1974)." (US
Department of Justice APPENDIX A: Sample Network Banner Language)

"Network banners are electronic messages that provide notice of legal rights to
users of
computer networks. From a legal standpoint, banners have four primary
functions.
-- First, banners may be used to generate consent to real-time monitoring
under Title III.
-- Second, banners may be used to generate consent to the retrieval of stored
files and records pursuant to ECPA.
-- Third, in the case of government networks, banners may eliminate any
Fourth Amendment "reasonable expectation of privacy" that government
employees or other users might otherwise retain in their use of the
government's network under O'Connor v. Ortega, 480 U.S. 709 (1987).
-- Fourth, in the case of a non-government network, banners may establish a
system administrator's "common authority" to consent to a law enforcement
search pursuant to United States v. Matlock, 415 U.S. 164 (1974)." (US
Department of Justice APPENDIX A: Sample Network Banner Language)
"Network banners are electronic messages that provide notice of legal rights to
users of
computer networks. From a legal standpoint, banners have four primary
functions.
-- First, banners may be used to generate consent to real-time monitoring
under Title III.
-- Second, banners may be used to generate consent to the retrieval of stored
files and records pursuant to ECPA.
-- Third, in the case of government networks, banners may eliminate any
Fourth Amendment "reasonable expectation of privacy" that government
employees or other users might otherwise retain in their use of the
government's network under O'Connor v. Ortega, 480 U.S. 709 (1987).
-- Fourth, in the case of a non-government network, banners may establish a
system administrator's "common authority" to consent to a law enforcement
search pursuant to United States v. Matlock, 415 U.S. 164 (1974)." (US
Department of Justice APPENDIX A: Sample Network Banner Language)

"Network banners are electronic messages that provide notice of legal rights to
users of computer networks. From a legal standpoint, banners have four
primary functions.
 First, banners may be used to generate consent to real-time monitoring
under Title III.
 Second, banners may be used to generate consent to the retrieval of stored
files and records pursuant to ECPA.
 Third, in the case of government networks, banners may eliminate any
Fourth Amendment "reasonable expectation of privacy" that government
employees or other users might otherwise retain in their use of the
government's network under O'Connor v. Ortega, 480 U.S. 709 (1987).
 Fourth, in the case of a non-government network, banners may establish a
system administrator's "common authority" to consent to a law enforcement
search pursuant to United States v. Matlock, 415 U.S. 164 (1974)." (US
Department of Justice APPENDIX A: Sample Network Banner Language)

4. Password Rules

Requiring the enable secret setting protects privileged EXEC mode. By

default, a strong password is not required, a user can just press the Enter key
at the Password prompt to start privileged mode. The enable password
command causes the device to enforce use of a password to access privileged
mode. Enable secrets use a one-way cryptographic hash (MD5). This is
preferred to Level 7 enable passwords that use a weak, well-known, and easily
reversible encryption algorithm

This requires passwords to be encrypted in the configuration file to prevent

unauthorized users from learning the passwords just by reading the
configuration. When not enabled, many of the device's passwords will be
rendered in plain text in the configuration file. This
service ensures passwords are rendered as encrypted strings preventing an
attacker from easily determining the configured value.

Default device configuration does not require strong user autentication

potentially enabling unfettered access to an attacker that is able to reach the
device. Creating a local account with an encrypted password enforces login
authentication and provides a fallback authentication mechanism for
configuration in a named method list in a situation where centralized
authentication, authorization, and accounting services are unavailable.

5. SNMP Rules
SNMP read access allows remote monitoring and management of the device.

The default community string "private" is well known. Using easy to guess,
well known community string poses a threat that an attacker can effortlessly
gain unauthorized access to the device.

The default community string "public" is well known. Using easy to guess,
well known community string poses a threat that an attacker can effortlessly
gain unauthorized access to the device.

Enabling SNMP read-write enables remote management of the device. Unless

absolutely necessary, do not allow simple network management protocol
(SNMP) write access.

If ACLs are not applied, then anyone with a valid SNMP community string
can potentially monitor and manage the router. An ACL should be defined and
applied for all SNMP access to limit access to a small number of authorized
management stations segmented in a trusted management zone. If possible,
use SNMPv3 which uses authentication,
authorization, and data privatization (encryption

SNMP ACLs control what addresses are authorized to manage and monitor
the device via SNMP. If ACLs are not applied, then anyone with a valid
SNMP community string may monitor and manage the router. An ACL should
be defined and applied for all SNMP community strings to limit access to a
small number of authorized management stations segmented in a trusted
management zone

If SNMP is enabled for device management and device alerts are required,
then ensure the device is configured to submit traps only to authorize
management systems.

SNMP has the ability to submit traps .

SNMPv3 provides much improved security over previous versions by offering

options for Authentication and Encryption of messages.
When configuring a user for SNMPv3 you have the option of using a range of
encryption schemes, or no encryption at all, to protect messages in transit.
AES128 is the minimum strength encryption method that should be deployed.

SNMPv3 provides much improved security over previous versions by offering

options for Authentication and Encryption of messages.
When configuring a user for SNMPv3 you have the option of using a range of
encryption schemes, or no encryption at all, to protect messages in transit.
AES128 is the minimum strength encryption method that should be deployed.

6. Login Enhancements

If the configured number of connection attempts fail within a specified time

period, the Cisco device will not accept any additional connections for a
“quiet period.” (Hosts that are permitted by a predefined access-control list
[ACL] are excluded from the quiet period.)
The number of failed connection attempts that trigger the quiet period can be
specified via the new global configuration mode command login block-for .
The predefined ACL that is excluded from the quiet period can be specified
via the new global configuration mode command login quiet-mode access-
class .
The AutoSecure feature secures a router by using a single CLI command to
disable common IP services that can be exploited for network attacks, enable
IP services and features that can aid in the defense of a network when under
attack, and simplify and harden the security configuration of the router.

Authenticating to the Boundary Router This section describes the first layer of
security that remote users must pass through when they attempt to access a
network. The first step in the Kerberos authentication process is for users to
authenticate themselves to the boundary router. The following process
describes how users authenticate to a boundary router:

The combination of the IP address and UDP port number creates a unique
identifier, that enables RADIUS requests to be sent to multiple UDP ports on a
server at the same IP address. If two different host entries on the same
RADIUS server are configured for the same service (for example,
authentication) the second host entry that is configured
functions as the failover backup to the first one. The RADIUS host entries are
chosen in the order that they were configured

6. Global Service Rules

The domain name is prerequisite for setting up SSH.

The domain name is a prerequisite for setting up SSH

An RSA key pair is a prerequisite for setting up SSH and should be at least
2048 bits. NOTE: IOS does NOT display the modulus bit value in the Audit
Procedure.

This reduces the risk of an administrator leaving an authenticated session

logged in for an extended period of time.

This limits the number of times an unauthorized user can attempt a password
without having to establish a new SSH login attempt. This reduces the
potential for success during online brute force attacks by limiting the number
of login attempts per SSH connection.

SSH Version 1 has been subject to a number of serious vulnerabilities and is

no longer considered to be a secure protocol, resulting in the adoption of SSH
Version 2 as an Internet
Standard in 2006. Cisco routers support both versions, but due to the weakness
of SSH Version 1 only the later standard should be used
The Cisco Discovery Protocol is a proprietary protocol that Cisco devices use
to identify each other on a LAN segment. It is useful only in network
monitoring and troubleshooting situations but is considered a security risk
because of the amount of information provided from queries. In addition, there
have been published denial-of-service (DoS) attacks that use CDP. CDP
should be completely disabled unless necessary.

BootP allows a router to issue IP addresses. This should be disabled unless

there is a specific requirement

The DHCP server supplies automatic configuration parameters, such as

dynamic IP address, to requesting systems. A dedicated server located in a
secured management zone should be used to provide DHCP services instead.
Attackers can potentially be used for denial-of-service (DoS) attacks.

Identification protocol enables identifying a user's transmission control

protocol (TCP) session. This information disclosure could potentially provide
an attacker with information about users.

Stale connections use resources and could potentially be hijacked to gain

illegitimate access. The TCP keepalives-in service generates keepalive packets
on idle incoming network connections (initiated by remote host). This service
allows the device to detect when the remote host fails and drop the session. If
enabled, keepalives are sent once per minute on idle connections. The
connection is closed within five minutes if no keepalives are received or
immediately if the host replies with a reset packet.

Stale connections use resources and could potentially be hijacked to gain

illegitimate access. The TCP keepalives-in service generates keepalive packets
on idle incoming network connections (initiated by remote host). This service
allows the device to detect when the remote host fails and drop the session. If
enabled, keepalives are sent once per minute on idle connections. The
connection is closed within five minutes if no keepalives are received or
immediately if the host replies with a reset packet

If the PAD service is not necessary, disable the service to prevent intruders
from accessing the X.25 PAD command set on the router.

7. Logging Rules

Logging provides a chronological record of activities on the Cisco device and

allows monitoring of both operational and security related events.

The device can copy and store log messages to an internal memory buffer. The
buffered data is available only from a router exec or enabled exec session.
This form of logging is useful for debugging and monitoring when logged in
to a router.

This configuration determines the severity of messages that will generate

console messages. Logging to console should be limited only to those
messages required for immediate troubleshooting while logged into the
device. This form of logging is not persistent; messages printed to the console
are not stored by the router. Console logging is handy for operators when they
use the console.
Cisco routers can send their log messages to a Unix-style Syslog service. A
syslog service simply accepts messages and stores them in files or prints them
according to a simple configuration file. This form of logging is best because
it can provide protected long-term storage for logs (the devices internal
logging buffer has limited capacity to store events.) In addition, logging to an
external system is highly recommended or required by most security
standards. If desired or required by policy, law and/or regulation, enable a
second syslog server for redundancy

This determines the severity of messages that will generate simple network
management protocol (SNMP) trap and or syslog messages. This setting
should be set to either "debugging" (7) or "informational" (6), but no lower.

Including timestamps in log messages allows correlating events and tracing

network attacks across multiple devices. Enabling service timestamp to mark
the time log messages were generated simplifies obtaining a holistic view of
events enabling faster troubleshooting of issues or attacks.

This is required so that the router sends log messages to the logging server
from a consistent IP address

Without generating audit records that are specific to the security and mission
needs of the organization, it would be difficult to establish, correlate, and
investigate the events relating to an incident or identify those responsible for
one.
7. NTP rules
Using authenticated NTP ensures the Cisco device only permits time updates
from authorized NTP servers

Using an authentication key provides a higher degree of security as only

authenticated NTP servers will be able to update time for the Cisco device.

This authentication function provides protection against accidentally

synchronizing the system to another system that is not trusted, because the
other system must know the correct authentication key.

This authentication feature provides protection against accidentally

synchronizing the ntp system to another system that is not trusted, because the
other system must know the correct authentication key.

To ensure that the time on your Cisco router is consistent with other devices in
your network, at least two (and preferably at least three) NTP Server/s
external to the router should be configured.
Ensure you also configure consistent timezone and daylight savings time
setting for all devices. For simplicity, the default of Coordinated Universal
Time (UTC).

8. Loopback Rules
Software-only loopback interface that emulates an interface that is always up.
It is a virtual interface supported on all platforms.
Alternate loopback addresses create a potential for abuse, mis-configuration,
and inconsistencies. Additional loopback interfaces must be documented and
approved prior to use by local security personnel.

This is required so that the AAA server (RADIUS or TACACS+) can easily
identify routers and authenticate requests by their IP address
Set the source address to be used when sending NTP traffic. This may be
required if the NTP servers you peer with filter based on IP address.

This is required so that the TFTP servers can easily identify routers and
authenticate requests by their IP address.

9. Routing Rules
Source routing is a feature of IP whereby individual packets can specify
routes. This feature is used in several kinds of attacks. Cisco routers normally
accept and process source routes. Unless a network depends on source routing,
it should be disabled.

Address Resolution Protocol (ARP) provides resolution between IP and MAC

Addresses (or other Network and Link Layer addresses on none IP networks)
within a Layer 2 network. Proxy ARP is a service where a device connected to
one network (in this case the Cisco router) answers ARP Requests which are
addressed to a host on another network, replying with its own MAC Address
and forwarding the traffic on to the intended host.

Tunnel interfaces should not exist in general. They can be used for malicious
purposes. If they are necessary, the network admin's should be well aware of
them and their purpose

Enabled uRPF helps mitigate IP spoofing by ensuring only packet source IP

addresses only originate from expected interfaces. Configure unicast reverse-
path forwarding (uRPF) on all external or high risk interfaces.

10. Border Router Filtering

Configuring access controls can help prevent spoofing attacks. To reduce the
effectiveness of IP spoofing, configure access control to deny any traffic from
the external network that has a source address that should reside on the
internal network. Include local host address or any reserved private addresses
(RFC 1918). Ensure the permit rule(s) above the final deny rule only allow
traffic according to your organization's least privilege policy.

Configuring access controls can help prevent spoofing attacks. To reduce the
effectiveness of IP spoofing, configure access control to deny any traffic from
the external network that has a source address that should reside on the
internal network. Include local host address or any reserved private addresses
(RFC 1918).
Ensure the permit rule(s) above the final deny rule only allow traffic according
to your organization's least privilege policy.

11. Neighbor Authentication

Routing protocols such as DRP Agent, EIGRP, and RIPv2 use key chains for
authentication.

Configure an authentication key on a key chain.

Configure the authentication string for a key.

BGP is a true multi-protocol routing protocol and the 'address-family' feature

enables restriction of exchanges with specific neighbors.

Defines user defaults to apply to EIGRP interfaces that belong to an address-

family

Configure the EIGRP address family key chain.

Configure authentication to prevent unapproved sources from introducing

unauthorized or false service messages.

Configuring EIGRP authentication key-chain number and name to restrict

packet exchanges between network devices.
Configure authentication to prevent unapproved sources from introducing
unauthorized or false routing messages.

12. OSPF Authentication

This is part of the OSPF authentication setup.

Enable Open Shortest Path First (OSPF) Message Digest 5 (MD5)

authentication.

13. RIPv2 Authentication

Define an authentication key chain to enable authentication for RIPv2 routing
protocols.

Configure an authentication key on a key chain.

Configure the authentication string for a key.

Enable authentication for Routing Information Protocol (RIP) Version 2

packets and to specify the set of keys that can be used on an interface.

Configure the Interface with the RIPv2 key chain.

14. BGP Authentication

Enforcing routing authentication reduces the likelihood of routing poisoning

and unauthorized routers from joining BGP routing.
um Baseline Security Standard – Cisco Switch
Verification

1. Access Rules

Perform the following to determine if a user with an encrypted password is

enabled:
Verify all username results return "privilege 1"
hostname#show run | incl privilege

Perform the following to determine if SSH is the only transport method for
incoming VTY logins:
The result should show only "ssh" for "transport input"
hostname#sh run | sec vty

Perform the following to determine if the EXEC process for the aux port is
disabled:
Verify no exec
hostname#sh run | sec aux
Verify you see the following "no exec"
hostname#sh line aux 0 | incl exec

Perform the following to determine if the ACL is created:

Verify the appropriate access-list definitions
hostname#sh ip access-list <vty_acl_number>

Perform the following to determine if the ACL is set:

Verify you see the access-class defined
hostname#sh run | sec vty <line-number> <ending-line-number>

Perform the following to determine if the timeout is configured:

Verify you return a result. NOTE: If you set an exec-timeout of 10 minutes,
this will not show up in the configuration
hostname#sh run | sec line aux 0

Perform the following to determine if the timeout is configured:

Verify you return a result
NOTE: If you set an exec-timeout of 10 minutes, this will not show up in the
configuration
hostname#sh run | sec line con 0
 Perform the following to determine if the timeout is configured:
Verify you return a result
NOTE: If you set an exec-timeout of 10 minutes, this will not show up in the
configuration
hostname#sh line tty <tty_line_number> | begin Timeout

Perform the following to determine if the timeout is configured:

Verify you return a result
NOTE: If you set an exec-timeout of 10 minutes, this will not show up in the
configuration
hostname#sh line vty <tty_line_number> | begin Timeout

Perform the following to determine if inbound connections for the aux port are
disabled:
Verify you see the following "Allowed input transports are none
hostname#sh line aux 0 | incl input transports

The result should show ip http secure-server with max connections on

following line
hostname#show run | inc ip http secure-server

Perform the following to determine if the timeout is configured:

sh run | beg ip http timeout-policy

Local Authentication, Authorization and Accounting (AAA)

Perform the following to determine if AAA services are enabled:

hostname#show running-config | incl aaa new-model#
Perform the following to determine if AAA authentication for login is
enabled:
hostname#show run | incl aaa authentication login
If a result does not return, the feature is not enabled.

Perform the following to determine if AAA authentication enable mode is

enabled:
hostname#show running-config | incl aaa authentication enable

Perform the following to determine if AAA authentication for line login is

enabled:
If the command does not return a result for each management access method,
the feature is not enabled
hostname#sh run | sec line | incl login authentication

Perform the following to determine if AAA authentication for line login is

enabled:
If the command does not return a result for each management access method,
the feature is not enabled
hostname#sh run | sec line | incl login authentication

Perform the following to determine if AAA authentication for line login is

enabled:
If the command does not return a result for each management access method,
the feature is not enabled
hostname#show running-config | inc ip http authentication

Perform the following to determine if aaa accounting for commands is

required:
Verify a command string result returns
hostname#sh run | incl aaa accounting commands

Perform the following to determine if aaa accounting for connection is

required:
Verify a command string result returns
hostname#sh run | incl aaa accounting connection

Perform the following to determine if aaa accounting for EXEC shell session
is required:
Verify a command string result returns
hostname#sh run | incl aaa accounting exec
Perform the following to determine if aaa accounting for connection is
required:
Verify a command string result returns
hostname#sh run | incl aaa accounting network

Perform the following to determine if aaa accounting system is required:

Verify a command string result returns
hostname#sh run | incl aaa accounting system

3. Banner Rules

Perform the following to determine if the exec banner is set:

hostname#sh running-config | beg banner exec
If the command does not return a result, the banner is not enabled

Perform the following to determine if the login banner is set:

hostname#show running-config | beg banner login
If the command does not return a result, the banner is not enabled.
Perform the following to determine if the login banner is set:
hostname#sh running-config | beg banner motd
If the command does not return a result, the banner is not enabled.

Perform the following to determine if the login banner is set:

hostname#show ip admission auth-proxy-banner http
If the command does not return a result, the banner is not enabled.

4. Password Rules

Perform the following to determine enable secret is set:

If the command does not return a result, the enable password is not set.
hostname#sh run | incl enable secret

Perform the following to determine if a user with an encrypted password is

enabled:
Ensure a result that matches the command return
hostname#sh run | incl service password-encryption

Perform the following to determine if a user with an encrypted password is

enabled:
If a result does not return with secret, the feature is not enabled
hostname#show run | incl username

5. SNMP Rules
Verify the result reads "SNMP agent not enabled"
hostname#show snmp community

Perform the following to determine if the public community string is enabled:

Ensure private does not show as a result
hostname# show snmp community

Perform the following to determine if the public community string is enabled:

Ensure public does not show as a result
hostname# show snmp community

Perform the following to determine if a read/write community string is

enabled:
Verify the result does not show a community string with a "RW"
hostname#show run | incl snmp-server community

Perform the following to determine if an ACL is enabled:

Verify the result shows a number after the community string
hostname#show run | incl snmp-server community

Perform the following to determine if the ACL is created:

Verify you the appropriate access-list definitions
hostname#sh ip access-list <snmp_acl_number>

Perform the following to determine if SNMP traps are enabled:

If the command returns configuration values, then SNMP is enabled.
hostname#show run | incl snmp-server

Perform the following to determine if SNMP traps are enabled:

If the command returns configuration values, then SNMP is enabled.
hostname#show run | incl snmp-server

Verify the result show the appropriate group name and security model
hostname#show snmp groups

Verify the result show the appropriate user name and security settings
hostname#show snmp user

6. Login Enhancements

Configures your Cisco IOS XE device for login parameters that help provide
DoS detection.
hostname#show running-config | inc login block
Hostname#show auto secure config

Hostname#show kerberos cred

Hostname#show ip admission

6. Global Service Rules

Perform the following to determine if the local time zone is configured:
Verify the result shows the summer-time recurrence is configured properly.
hostname#sh run | incl hostname

Perform the following to determine if the domain name is configured:

Verify the domain name is configured properly
hostname#sh run | incl domain name

Perform the following to determine if the RSA key pair is configured:

hostname#sh crypto key mypubkey rsa

Perform the following to determine if the SSH timeout is configured:

Verify the timeout is configured properly.
hostname#sh ip ssh

Perform the following to determine if SSH authentication retries is configured:

Verify the authentication retries is configured properly.
hostname#sh ip ssh

Perform the following to determine if SSH version 2 is configured:

Verify that SSH version 2 is configured properly.
hostname#sh ip ssh
Verify the result shows "CDP is not enabled"
hostname#show cdp

Perform the following to determine if bootp is enabled:

Verify a "no ip bootp server" result returns
hostname#show run | incl bootp

Perform the following to determine if the DHCP service is enabled:

Verify no result returns
hostname#show run | incl dhcp

Perform the following to determine if identd is enabled:

Verify no result returns
hostname#show run | incl identd

Perform the following to determine if the feature is enabled:

Verify a command string result returns
hostname#show run | incl service tcp

Perform the following to determine if the feature is enabled:

Verify a command string result returns
hostname#show run | incl service tcp

Perform the following to determine if the feature is disabled:

Verify no result returns
hostname#show run | incl service pad
7. Logging Rules

Perform the following to determine if the feature is enabled:

Verify no result returns
hostname#show run | incl logging on

Perform the following to determine if the feature is enabled:

Verify a command string result returns
hostname#show run | incl logging buffered

Perform the following to determine if the feature is enabled:

Verify a command string result returns
hostname#show run | incl logging console
Perform the following to determine if a syslog server is enabled:
Verify one or more IP address(es) returns
hostname#sh log | incl logging host

Perform the following to determine if a syslog server for SNMP traps is

enabled:
Verify "level informational" returns
hostname#sh log | incl trap logging

Perform the following to determine if the additional detail is enabled:

Verify a command string result returns
hostname#sh run | incl service timestamps

Perform the following to determine if logging services are bound to a source

interface:
Verify a command string result returns
hostname#sh run | incl logging source

hostname(config)#sho running-config | inc login on-

7. NTP rules
From the command prompt, execute the following commands:
hostname#show run | include ntp

From the command prompt, execute the following commands:

hostname#show run | include ntp authentication-key

From the command prompt, execute the following commands:

hostname#show run | include ntp trusted-key. The above command should
return any NTP server(s) configured with encryption keys.
This value should be the same as the total number of servers configured as
tested in.

From the command prompt, execute the following commands:

hostname#show run | include ntp server

From the command prompt, execute the following commands:

hostname#sh ntp associations

8. Loopback Rules

Perform the following to determine if a loopback interface is defined:

Verify an IP address returns for the defined loopback interface
hostname#sh ip int brief | incl Loopback

Perform the following to determine if AAA services are bound to a source

interface:
Verify a command string result returns
hostname#sh run | incl tacacs source | radius source
Perform the following to determine if NTP services are bound to a source
interface:
Verify a command string result returns
hostname#sh run | incl ntp source

Perform the following to determine if TFTP services are bound to a source

interface:
Verify a command string result returns
hostname#sh run | incl tftp source-interface
9. Routing Rules

Verify the command string result returns

hostname#sh run | incl ip source-route

Verify the proxy ARP status

hostname#sh ip int {interface} | incl proxy-arp

Verify no tunnel interfaces are defined

hostname#sh ip int brief | incl tunnel

Verify uRPF is running on the appropriate interface(s)

hostname#sh ip int {interface} | incl verify source

10. Border Router Filtering

Verify you have the appropriate access-list definitions

hostname#sh ip access-list {name | number}

Verify the access-group is applied to the appropriate interface

hostname#sh run | sec interface {external_interface}

11. Neighbor Authentication

Verify the appropriate key chain is defined
hostname#sh run | sec key chain

Verify the appropriate key chain is defined

hostname#sh run | sec key chain
Verify the appropriate key chain is defined
hostname#sh run | sec key chain

Verify the appropriate address family is set

hostname#sh run | sec router eigrp

Verify the setting

hostname#sh run | sec router eigrp

Verify the appropriate key chain is set

hostname#sh run | sec router eigrp

Verify the appropriate address family authentication mode is set

hostname#sh run | sec router eigrp

Verify the appropriate key chain is set on the appropriate interface(s)

hostname#sh run int {interface_name} | incl key-chain
Verify the appropriate authentication mode is set on the appropriate
interface(s)
hostname#sh run int {interface_name} | incl authentication mode

12. OSPF Authentication

Verify message digest for OSPF is defined

hostname#sh run | sec router ospf

Verify the appropriate md5 key is defined on the appropriate interface(s)

hostname#sh run int {interface}

13. RIPv2 Authentication

Verify the appropriate key chain is defined
hostname#sh run | sec key chain
Verify the appropriate key chain is defined
hostname#sh run | sec key chain
Verify the appropriate key chain is defined
hostname#sh run | sec key chain

Verify the appropriate key chain and mode are set on the appropriate
interface(s)
hostname#sh run int {interface_name}

Verify the appropriate mode is set on the appropriate interface(s)

hostname#sh run int <interface>

14. BGP Authentication

Verify you see the appropriate neighbor password is defined:

hostname#sh run | sec router bgp
co Switch
Remediation Severity

Set the local user to privilege level 1.

High
hostname(config)#username <LOCAL_USERNAME> privilege 1

Apply SSH to transport input on all VTY management lines

hostname(config)#line vty <line-number> <ending-line-number> High
hostname(config-line)#transport input ssh

Disable the EXEC process on the auxiliary port.

hostname(config)#line aux 0 High
hostname(config-line)#no exec

Configure the VTY ACL that will be used to restrict management access
to the device.
hostname(config)#access-list <vty_acl_number> permit tcp
<vty_acl_block_with_mask> any High
hostname(config)#access-list <vty_acl_number> permit tcp host
<vty_acl_host> any
hostname(config)#deny ip any any log

Configure remote management access control restrictions for all VTY

lines.
High
hostname(config)#line vty <line-number> <ending-line-number>
hostname(config-line)# access-class <vty_acl_number> in

Configure device timeout (10 minutes or less) to disconnect sessions after

a fixed idle time.
hostname(config)#line aux 0 High
hostname(config-line)#exec-timeout <timeout_in_minutes>
<timeout_in_seconds>

Configure device timeout (10 minutes or less) to disconnect sessions after

a fixed idle time.
hostname(config)#line con 0 High
hostname(config-line)#exec-timeout <timeout_in_minutes>
<timeout_in_seconds>
 Configure device timeout (10 minutes or less) to disconnect sessions after
a fixed idle time.
hostname(config)#line tty {line_number} [ending_line_number] High
hostname(config-line)#exec-timeout <timeout_in_minutes>
<timeout_in_seconds>

Configure device timeout (10 minutes or less) to disconnect sessions after

a fixed idle time.
hostname(config)#line vty {line_number} [ending_line_number] High
hostname(config-line)#exec-timeout <timeout_in_minutes>
<timeout_in_seconds>

Disable the inbound connections on the auxiliary port.

hostname(config)#line aux 0 High
hostname(config-line)#transport input none

hostname(config)#ip http max-connections 2 High

Configure device timeout (10 minutes or less) to disconnect sessions after

a fixed idle time. High
ip http timeout-policy idle 600 life {nnnn} requests {nn}

AAA)

Globally enable authentication, authorization and accounting (AAA)

using the new-model command. High
hostname(config)#aaa new-model
Configure AAA authentication method(s) for login authentication.
hostname(config)#aaa authentication login {default | aaa_list_name} High
[passwd-expiry] method1 [method2]

Configure AAA authentication method(s) for enable authentication.

hostname(config) High
#aaa authentication enable default {method1} enable

Configure management lines to require login using the default or a named

AAA authentication list. This configuration must be set individually for
all line types. High
hostname(config)#line tty {line-number} [ending-line-number]
hostname(config-line)#login authentication {default | aaa_list_name}

Configure management lines to require login using the default or a named

AAA authentication list. This configuration must be set individually for
all line types. High
hostname(config)#line vty {line-number} [ending-line-number]
hostname(config-line)#login authentication {default | aaa_list_name}

Configure management lines to require login using the default or a named

AAA authentication list. This configuration must be set individually for
all line types. High
hostname#(config)ip http secure-server
hostname#(config)ip http authentication {default | _aaa\_list\_name_}

Configure AAA accounting for commands.

hostname(config)#aaa accounting commands 15 {default | list-name |
High
guarantee-first}
{start-stop | stop-only | none} {radius | group group-name}

Configure AAA accounting for connections.

hostname(config)#aaa accounting connection {default | list-name |
High
guarantee-first}
{start-stop | stop-only | none} {radius | group group-name}

Configure AAA accounting for EXEC shell session.

hostname(config)#aaa accounting exec {default | list-name | guarantee-
High
first}
{start-stop | stop-only | none} {radius | group group-name}
Configure AAA accounting for connections.
hostname(config)#aaa accounting network {default | list-name |
High
guarantee-first}
{start-stop | stop-only | none} {radius | group group-name}

Configure AAA accounting system.

hostname(config)#aaa accounting system {default | list-name | guarantee-
High
first}
{start-stop | stop-only | none} {radius | group group-name}

Configure the EXEC banner presented to a user when accessing the

devices enable prompt.
hostname(config)#banner exec c
High
Enter TEXT message. End with the character 'c'.
<banner-text>
c

Configure the device so a login banner presented to a user attempting to

access the device.
hostname(config)#banner login c
High
Enter TEXT message. End with the character 'c'.
<banner-text>
c
Configure the message of the day (MOTD) banner presented when a user
first connects to the device.
hostname(config)#banner motd c
High
Enter TEXT message. End with the character 'c'.
<banner-text>
c

Configure the webauth banner presented when a user connects to the

device.
High
hostname(config)#ip admission auth-proxy-banner http {banner-text |
filepath}

Configure a strong, enable secret password.

High
hostname(config)#enable secret <ENABLE_SECRET_PASSWORD>

Enable password encryption service to protect sensitive access passwords

in the device configuration. High
hostname(config)#service password-encryption

Create a local user with an encrypted, complex (not easily guessed)

password.
High
hostname(config)#username <LOCAL_USERNAME> secret
<LOCAL_PASSWORD>
Disable SNMP read and write access if not in used to monitor and/or
manage device. High
hostname(config)#no snmp-server

Disable the default SNMP community string "private"

High
hostname(config)#no snmp-server community {private}

Disable the default SNMP community string "public"

High
hostname(config)#no snmp-server community {public}

Disable SNMP write access.

High
hostname(config)#no snmp-server community {write_community_string}

Configure authorized SNMP community string and restrict access to

authorized
management systems. High
hostname(config)#snmp-server community <community_string> ro
{snmp_access-list_number | snmp_access-list_name}

Configure SNMP ACL for restricting access to the device from

authorized management stations segmented in a trusted management
zone.
High
hostname(config)#access-list <snmp_acl_number> permit <snmp_access-
list>
hostname(config)#access-list deny any log

Configure authorized SNMP trap community string and restrict sending

messages to authorized management systems.
High
hostname(config)#snmp-server host {ip_address}
{trap_community_string} snmp
Enable SNMP traps.
hostname(config)#snmp-server enable traps snmp authentication linkup High
linkdown coldstart

For each SNMPv3 group created on your router add privacy options by
issuing the following command... High
hostname(config)#snmp-server group {group_name} v3 priv

For each SNMPv3 user created on your router add privacy options by
issuing the following command.
hostname(config)#snmp-server user {user_name} {group_name} v3 High
encrypted auth sha
{auth_password} priv aes 128 {priv_password} {acl_name_or_number}

To enable the feature enter the commands

Hostname#(config)login block-for {**seconds**} attempts {**tries**}
within {**seconds**
All login attempts made via Telnet or SSH are denied during the quiet
period; that is, no ACLs are exempt from the login period until the login High
quiet-mode access-class command is issued
Hostname#(config)login quiet-mode access class {**acl-name | acl-
number**}
Hostname#(config)login delay {**seconds**}
How to Configure AutoSecure
Hostname#(config)auto secure {management | forwarding} {no-interact |
full}
{ntp | login | ssh |firewall | tcp-intercept}
High
Configuring Enhanced Security Access to the Router
Hostname#(config)enable password {password | [encryption-type ]
encrypted-password }
Hostname#security authentication failure rate {**threshold-rate**} log

Adding Users to the KDC Database

Hostname# ank {username@REALM}
Hostname# ank {username/instance@REALM
Creating SRVTABs on the KDC
Hostname# ark {SERVICE/HOSTNAME@REALM}
Make entries for all network services on all Kerberized hosts that use this
KDC for authentication. High

Defining a Kerberos Realm

Hostname#(config)kerberos local-realm {kerberos-realm}
Hostname#(config)kerberos server {kerberos-realm {hostname | ip-
address}} {port-number}
Hostname#(config)kerberos realm {dns-domain | host} {kerberos-realm}

Configuring the Authentication Rule and Interfaces

Hostname#(config)ip admission name {Name} proxy http
Hostname#(config)interface {type slot/port}
High
Hostname#(config)ip access-group {Name}
Hostname#(config)ip admission name
Hostname#(config)ip admission max-login-attempts {number}

Configure an appropriate host name for the router.

High
hostname(config)#hostname {router_name}

Configure an appropriate domain name for the router.

High
hostname (config)#ip domain name {domain-name}

Generate an RSA key pair for the router.

High
hostname(config)#crypto key generate rsa general-keys modulus 2048

Configure the SSH timeout

High
hostname(config)#ip ssh time-out [60]

Configure the SSH timeout:

High
hostname(config)#ip ssh authentication-retries [3]

Configure the router to use SSH version 2

High
hostname(config)#ip ssh version 2
Disable Cisco Discovery Protocol (CDP) service globally.
High
hostname(config)#no cdp run

Disable the bootp server.

High
hostname(config)#no ip bootp server

Disable the DHCP server.

High
hostname(config)#no service dhcp

Disable the ident server.

High
hostname(config)#no ip identd

Enable TCP keepalives-in service:

High
hostname(config)#service tcp-keepalives-in

Enable TCP keepalives-out service:

High
hostname(config)#service tcp-keepalives-out

Disable the PAD service.

High
hostname(config)#no service pad

Enable system logging.

hostname(config)#archive
hostname(config-archive)#log config High
hostname(config-archive-log-cfg)#logging enable
hostname(config-archive-log-cfg)#end

Configure buffered logging (with minimum size). Recommended size is

64000. High
hostname(config)#logging buffered [log_buffer_size]

Configure console logging level.

High
hostname(config)#logging console critical
hostname(config)#logging host syslog_server High

Configure SNMP trap and syslog logging level.

High
hostname(config)#logging trap informational

Configure debug messages to include timestamps.

hostname(config)#service timestamps debug datetime {msec} show- High
timezone

Bind logging to the loopback interface.

hostname(config)#logging source-interface loopback High
{loopback_interface_number}

hostname(config)#login on-failure log

hostname(config)#login on-success log High
hostname(config)#end

Configure NTP authentication:

High
hostname(config)#ntp authenticate

Configure at the NTP key ring and encryption key using the following
command High
hostname(config)#ntp authentication-key {ntp_key_id} md5 {ntp_key}

Configure the NTP trusted key using the following command

High
hostname(config)#ntp trusted-key {ntp_key_id}

Configure each NTP Server to use a key ring using the following
command High
hostname(config)#ntp server {ntp-server_ip_address}{key ntp_key_id}

Configure at least one external NTP Server using the following

commands
hostname(config)#ntp server {ip address}
High
Organizations should establish three Network Time Protocol (NTP) hosts
to set consistent time across the enterprise. Enabling the 'ntp server ip
address' enforces encrypted authentication between NTP hosts.

Define and configure one loopback interface.

hostname(config)#interface loopback <number>
High
hostname(config-if)#ip address <loopback_ip_address>
<loopback_subnet_mask>

Bind AAA services to the loopback interface.

Hostname(config)#ip {tacacs|radius} source-interface loopback High
{loopback_interface_number)
Bind the NTP service to the loopback interface.
High
hostname(config)#ntp source loopback {loopback_interface_number}

Bind the TFTP client to the loopback interface

hostname(config)#ip tftp source-interface loopback High
{loobpback_interface_number}

Disable source routing.

High
hostname(config)#no ip source-route

Disable proxy ARP on all interfaces.

hostname(config)#interface {interface} High
hostname(config-if)#no ip proxy-arp

Organizations should plan and implement enterprise network security

policies that disable insecure and unnecessary features that increase High
attack surfaces such as 'tunnel interfaces'.

Enabled uRPF helps mitigate IP spoofing by ensuring only packet source

IP addresses only originate from expected interfaces. Configure unicast High
reverse-path forwarding (uRPF) on all external or high risk interfaces.

Configure ACL for private source address restrictions from external

networks.
hostname(config)#ip access-list extended {name | number}
hostname(config-nacl)#deny ip {internal_networks} any log
hostname(config-nacl)#deny ip 127.0.0.0 0.255.255.255 any log
hostname(config-nacl)#deny ip 10.0.0.0 0.255.255.255 any log
hostname(config-nacl)#deny ip 0.0.0.0 0.255.255.255 any log
hostname(config-nacl)#deny ip 172.16.0.0 0.15.255.255 any log
hostname(config-nacl)#deny ip 192.168.0.0 0.0.255.255 any log
hostname(config-nacl)#deny ip 192.0.2.0 0.0.0.255 any log High
hostname(config-nacl)#deny ip 169.254.0.0 0.0.255.255 any log
hostname(config-nacl)#deny ip 224.0.0.0 31.255.255.255 any log
hostname(config-nacl)#deny ip host 255.255.255.255 any log
hostname(config-nacl)#permit {protocol} {source_ip} {source_mask}
{destination}
{destination_mask} log
hostname(config-nacl)#deny any any log
hostname(config)#interface <external_interface>
hostname(config-if)#access-group <access-list> in

Apply the access-group for the external (untrusted) interface

hostname(config)#interface {external_interface} High
hostname(config-if)#ip access-group {name | number} in
Establish the key chain.
hostname(config)#key chain {key-chain_name}
Configure the key number.
hostname(config-keychain)#key {key-number}
Configure the key string.
hostname(config-keychain-key)#key-string <key-string>
Configure the EIGRP address family.
hostname(config)#router eigrp <virtual-instance-name>
hostname(config-router)#address-family ipv4 autonomous-system
{eigrp_as-number}
Configure the EIGRP address family.
hostname(config)#router eigrp <virtual-instance-name>
hostname(config-router)#address-family ipv4 autonomous-system
{eigrp_as-number}
hostname(config-router-af)#af-interface default
Configure the EIGRP address family key chain. Medium
hostname(config)#router eigrp <virtual-instance-name>
hostname(config-router)#address-family ipv4 autonomous-system
{eigrp_as-number}
hostname(config-router-af)#af-interface {interface-name}
hostname(config-router-af-interface)#authentication key-chain
{eigrp_key-chain_name}

Configure the EIGRP address family authentication mode.

hostname(config)#router eigrp <virtual-instance-name>
hostname(config-router)#address-family ipv4 autonomous-system
{eigrp_as-number}
hostname(config-router-af)#af-interface {interface-name}
hostname(config-router-af-interface)#authentication mode md5

Configure the key number.

hostname(config-keychain)#key {key-number}
Configure the key string.
hostname(config-keychain-key)#key-string <key-string>
Configure the EIGRP address family.
hostname(config)#router eigrp <virtual-instance-name>
hostname(config-router)#address-family ipv4 autonomous-system
{eigrp_as-number}

Configure the EIGRP address family.

hostname(config)#router eigrp <virtual-instance-name>
hostname(config-router)#address-family ipv4 autonomous-system
{eigrp_as-number}
hostname(config-router-af)#af-interface default

Configure the EIGRP address family key chain.

hostname(config)#router eigrp <virtual-instance-name>
hostname(config-router)#address-family ipv4 autonomous-system
{eigrp_as-number}
hostname(config-router-af)#af-interface {interface-name}
hostname(config-router-af-interface)#authentication key-chain
{eigrp_key-chain_name}

Configure the EIGRP address family authentication mode.

hostname(config)#router eigrp <virtual-instance-name>
hostname(config-router)#address-family ipv4 autonomous-system
{eigrp_as-number}
hostname(config-router-af)#af-interface {interface-name}
hostname(config-router-af-interface)#authentication mode md5

Configure the interface with the EIGRP key chain.

hostname(config)#interface {interface_name}
hostname(config-if)#ip authentication key-chain eigrp {eigrp_as-number}
{eigrp_key-chain_name}
Configure the interface with the EIGRP authentication mode.
hostname(config)#interface {interface_name}
hostname(config-if)#ip authentication mode eigrp {eigrp_as-number}
md5

Configure the Message Digest option for OSPF.

hostname(config)#router ospf <ospf_process-id>
hostname(config-router)#area <ospf_area-id> authentication message-
digest

Configure the appropriate interface(s) for Message Digest authentication

hostname(config)#interface {interface_name}
hostname(config-if)#ip ospf message-digest-key {ospf_md5_key-id} md5
{ospf_md5_key}

Establish the key chain.

hostname(config)#key chain {rip_key-chain_name}
Configure the key number.
hostname(config-keychain)#key {key-number}
Configure the key string.
hostname(config-keychain-key)#key-string <key-string>
Configure the Interface with the RIPv2 key chain.
hostname(config)#interface {interface_name}
hostname(config-if)#ip rip authentication key-chain {rip_key-
chain_name}

Configure the RIPv2 authentication mode on the necessary interface(s)

hostname(config)#interface <interface_name>
hostname(config-if)#ip rip authentication mode md5

Configure BGP neighbor authentication where feasible.

hostname(config)#router bgp <bgp_as-number>
High
hostname(config-router)#neighbor <bgp_neighbor-ip | peer-group-name>
password<password>